Quantum protocols for anonymous voting and surveying 
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We describe quantum protocols for voting and surveying. A key feature of our schemes is the 
use of entangled states to ensure that the votes are anonymous and to allow the votes to be tallied. 
The entanglement is distributed over separated sites; the physical inaccessibility of any one site is 
sufficient to guarantee the anonymity of the votes. The security of these protocols with respect to 
various kinds of attack is discussed. We also discuss classical schemes and show that our quantum 
voting protocol represents a iV-fold reduction in computational complexity, where N is the number 
of voters. 
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I. INTRODUCTION 

A well-established consequence of the proven security 
[l[ of quantum key distribution is that quantum systems 
can be used for unconditionally secure classical informa- 
tion transmission. It is widely believed that classical 
cryptosystems cannot distribute a key such as a one-time 
pad with unconditional security. Without a one-time pad 
classical cryptosystems are secure only on condition that 
insufficient computational resources are available to ren- 
der them vulnerable. While this assumption is reason- 
able at the present time, we anticipate that, in the fu- 
ture, quantum computers will be developed which may 
be used to attack cryptosystems reliant upon either in- 
teger factorization or discrete logarithm evaluation us- 
ing, for example, Shor's algorithm. The security of most 
common cryptosystems is dependent on the fact that no 
known efficient classical algorithm exists that can break 
particular implementations used within the time period 
for which security is desired. As such, although quan- 
tum computation will bring many benefits, it will also be 
highly disruptive with regard to data security. 

For this reason, it is highly probable that, to create 
cryptographic keys, we will have to turn to quantum me- 
chanics to provide us with alternative means of estab- 
lishing security. Fortunately, the practical implementa- 
tion of quantum cryptography has advanced considerably 
over that of quantum computation. We are therefore un- 
likely to face a 'security gap'. Indeed, the first commer- 
cial quantum key distribution systems have recently ap- 
peared on the market . Developments such as these in- 
crease our confidence in quantum cryptography and lead 
us to enquire, more broadly, about which tasks requir- 
ing secure communication could be implemented using 
quantum states. 

It is known that for some tasks, such as bit commit- 



ment, quantum mechanics cannot help However, for 
others, such as secret sharing, a number of novel quan- 
tum protocols have been developed fi]. In an (n, k) secret 
sharing scheme, a classical message is split among n par- 
ties. The key property of such a scheme is that no less 
than k of these parties can extract any information about 
the secret, while any k of them can extract the secret in 
its entirety. 

In some situations, it is more desirable that the iden- 
tity of the person who sent the message, rather than the 
message itself, be kept secret Examples include elec- 
tions, anonymous ballots and referendums. Here each 
voter should should feel able to cast their vote without 
the prospect of coercion or repercussion. Only collective 
features of the set of votes, such as the tally of 'yes' and 
'no' votes, are calculated and made public. 

In this paper, we describe novel quantum protocols for 
voting and a related task that we term surveying. Sur- 
veying is similar to voting in most respects. The main 
difference is that in surveying, the value of the vote cast 
is not restricted to a binary 'yes' or 'no' but may take any 
integer value. As such, surveying corresponds to collect- 
ing estimates of some numerical quantity, such as profit 
and loss values. The identities of the people who make 
each bid are kept private, although the sum of the bids 
is made public. We also analyze the security of these 
protocols under some simple attacks. 

To set our work in context, we review in section [II] a se- 
lection of protocols currently employed in secure classical 
election schemes. We devote section IIIII to the descrip- 
tion of our protocols. The first of these is a simple quan- 
tum protocol for comparative voting. Here, we consider 
two parties voting on a question with a 'yes' or 'no' an- 
swer. The aim is not to determine the tally itself, but to 
determine whether or not both parties voted identically 
without knowing the value of each of the votes. We show 
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that this is possible by encoding the voting information 
in an entangled state. 

Subsequently, we describe a protocol for anonymous 
surveying. It proves robust against certain kinds of at- 
tack. We discuss adaptations of the protocol for an 
anonymous ballot for binary-valued ballots and the re- 
lationship between the privacy of a vote and the ability 
for a voter to cheat by making multiple votes. We con- 
clude in section HVl with a discussion of our results. 



II. CLASSICAL VOTING PROTOCOLS 

Various properties have emerged from the literature as 
being desirable attributes of classical secret ballot vot- 
ing schemes. Amongst these is the concept of resilience 
which involves the properties of universal verifiability, 
privacy, and robustness @ . A universally verifiable elec- 
tion scheme is a scheme deemed open to scrutiny by all in- 
terested parties. Compliance with this property ensures 
that ballots are carried out correctly and that subsequent 
tallies are fairly assessed. For a scheme satisfying the pri- 
vacy property an honest participant is assured that their 
vote remains confidential, provided that the number of 
attackers does not grow too large. With the property 
of robustness, an election scheme has the capacity to re- 
cover from faults again, provided that the number of par- 
ties involved does not grow too large. Schemes satisfying 
these three properties are said to be resilient. Another 
desirable property of an election scheme, particularly as 
a counter to the risk of vote buying or coercion, is that it 
is receipt-free. Receipt-free election schemes ensure that 
voters cannot prove, to other parties, the particular vote 
cast within the scheme @, H|. Further 'desirable proper- 
ties' are to be found in the literature, for example 0]. 

Voting protocols performed within a classical setting 
are in general grouped according to their use of homo- 
morphisms, MIX nets and blind signatures. 

Homomorphic election schemes. These [f| [ToL [ill . 
IT3I [l"H involve the use of a homomorphic, probabilis- 
tic encryption scheme consisting of a plaintext space V, 
a ciphertext space C (each of which form group struc- 
tures (V, o) and (C,o') under appropriate binary opera- 
tions o and o') together with a family of homomorphic 
encryption schemes {-Ejign+ such that Ei : V — ► C by 
v 1 ► c = Ei(y). The homomorphic property (l3j may be 
defined as follows: let Cj — Ei^Vj) and Cfc = Ei k (vk) for 
j,ij,k,ik € N + ; then 3i e N + s.t. Cjo'ck = Ej(vj o Vk)- 
Homomorphic election schemes are important since they 
allow one to derive tallies without the need to decrypt 
individual votes. Such schemes lead to resilient election 
schemes @, [l3[ . 

MIX net schemes. MIX nets were first introduced by 
Chaum (l5j . and have found applications in scenarios 
involving anonymity, elections and payments. A MIX 
net election scheme involves the use of 'shuffle machine 
agents' referred to as MIX servers, [l6| which take as 
input a ciphertext vector (these could be for example, 



encrypted votes) (ci, c%, c„) S (J)™ =1 C-i submitted by 
for example 'voters', (vi,...,v n ) and produces as output a 
permuted vector (in which the components are shuffled) 
of corresponding output (for example, decrypted votes ) 
such that the link between the source for each ciphertext 
('encrypted vote') and its resulting plaintext ('vote') re- 
mains hidden. The resilience properties of privacy, ver- 
ifiability and robustness may be presented in terms of 
'i-privacy', 'f- verifiability' and 'i-robustness', where it is 
understood that t refers to the number of malicious MIX 
servers that the scheme can withstand given at most n — 2 
malicious sources. A scheme satisfying the above three 
i-properties is said to be i-resilient [17|. 

The development of classical MIX net schemes to 
achieve, in particular, privacy initially led to cipher- 
text whose size was proportional to the number of MIX 
servers involved in the scheme. This problem was re- 
solved by Park, Itoh and Kurosawa [16| . resulting in 
ciphertext whose length was independent of the number 
of MIX servers. Sako and Kilian [18j, produced a general 
MIX net scheme satisfying verifiability but failing with 
regard to robustness. The first resilient MIX net scheme 
was produced by Ogata, Kurosawa, Sako and Takatani 

Blind signature schemes. These were also introduced 
by Chaum [201 ] . and have been developed with applica- 
tions in anonymity, election and payment schemes. The 
basic concept involves obtaining a signature to authenti- 
cate a 'message', for example an encrypted vote, without 
the signer being able to observe the message ('vote') it- 
self or its signature. Verification regarding the signature 
is however supported by such schemes whilst maintain- 
ing privacy regarding the actual plaintext. A signer is 
thus denied the ability to link a particular plaintext with 
its corresponding 'blind' signature [2l[. Variations upon 
such schemes are to be found with for example 'Fair Blind 
Signatures' [22j in which the possibility of, for example, 
blackmail is discussed [23j j . 

Sender untraceability schemes. These schemes allow 
information to be sent anonymously. For example, in 
Chaum's Dining Cryptographers' Problem [24| a group 
of diners wish to determine if either an external agency 
or one of the group is paying anonymously for the meal. 
The solution requires 1 bit of information to be broadcast 
anonymously using a communication channel available 
to all diners. The simplest situation occurs for three 
diners with only two possible scenarios: one diner is to 
pay the bill or no diners pay the bill. The diner who pays 
broadcasts the message 1 in the following way. Each diner 
shares a single binary-digit one-time pad with the other 
two. The broadcast is executed by each diner adding the 
two numbers on the one time pads he or she holds. If one 
of the diners is paying he or she adds 1 to the value of the 
sum. The results modulo 2 are announced publicly to all 
diners. The sum of the 3 broadcast messages modulo 2 is 
1 only if the message 1 is sent by a paying diner otherwise 
it is 0. Thus a message is broadcast but the identity of a 
paying diner is untraceable. 



3 



The security of a classical scheme is deemed to be one 
of two varieties: computational or unconditional (also 
known as information-theoretic) security [25]. A scheme 
which can be broken in principle but requires more com- 
puting power than a realistic adversary can access in a 
given critical time is deemed computationally secure. Ex- 
amples are schemes based on the integer factorization 
problem and the discrete logarithm problem. Such com- 
putationally secure schemes are under threat from quan- 
tum computing. On the other hand, a scheme which 
is secure even if an adversary has unlimited computing 
resources is said to be unconditionally secure. A one 
time pad encryption scheme is unconditionally secure. 
Homomorphic maps and mixed nets not based on the 
one time pad are computationally secure. Blind signa- 
tures can be applied in an unconditionally secure man- 
ner to authenticate a vote and sender untraceability pro- 
vides anonymity with unconditional security. Chaum's 
secret ballot protocol [2(| , which uses blind signature and 
sender untraceability schemes, allows unconditionally se- 
cret voting. The sender untraceability component of the 
protocol requires one-time pads between all pairs of vot- 
ers, that is N(N — l)/2 one time pads are required for a 
ballot with TV voters. 



III. QUANTUM PROTOCOLS FOR 
ANONYMOUS SURVEYING AND VOTING 

In this paper we examine a number of quantum proto- 
cols for ballots [H, [33| . In light of the foregoing classical 
schemes, we desire the ballots to satisfy the following 
general rules: 

(Rl) The vote of each voter should be kept secret from 
all other voters. 

(R2) The person (the tallyman) calculating the collec- 
tive quantity should not be able to gain information 
about the voting of individual voters. 

(R3) The votes should be receipt-free. This is to say 
that it should impossible for a voter to prove how 
they voted to a third party, even if they wanted to. 
This condition thwarts vote buying and ensures the 
uncoercibility of the voter. 

An additional rule applies for the special case of a re- 
stricted ballot where the range of values of each vote is 
restricted: 

(R4) A voter may not make more than one vote, that 
is, the value of each vote should not count as more 
than one vote. 

We call a ballot where the votes are restricted to being 
binary-valued a binary-valued ballot. A specific example 
is a simple referendum. We call a ballot that satisfies the 
first three rules but not the fourth an anonymous survey. 



Additional (ancillary) people may be involved in the 
ballot, but they must not have access to any more infor- 
mation about the voting than the tallyman. There are 
a number of different kinds of ballots depending on the 
nature of the ballot question and the collective voting 
information required. 

A. Comparative ballot 

The first quantum voting protocol we shall describe is a 
simple comparative protocol which we call a comparative 
ballot. Consider two voters, Alice and Bob, voting on 
a question with a response of either 'yes' or 'no. There 
is also a tallyman, whose principal aim is to determine 
whether or not they agree, i.e., whether or not they have 
cast the same vote. 

We wish the result of this comparison task to be de- 
terministic and always correct (i.e. unambiguous). It 
should be noted in this context that, if instead of classi- 
cal information, we wish to unambiguously compare pure 
quantum states, then certain restrictions would apply. In 
particular, the possible states would have to be linearly 
independent [271 ] . 

Alice and Bob are assumed to be at spatially separated 
sites A and B. The protocol entails beginning with the 
ballot state representing one particle shared between the 
two sites A and B: 

|C > = i(|l,0) + |0,l». (1) 

Here, \n, m) = \n) A ® |w) B represents n particles 
(bosons) occupying a spatial mode at site A and m 
particles occupying an orthogonal spatial mode at site 
B in second quantization notation. A voter makes a 
'yes' vote by applying the operator exp(iA r 7r), where 
N is the voter's local particle number operator and 
exp(iA r 7r) \n) = exp(inir) \n). A 'no' vote is cast by sim- 
ply doing nothing, which formally amounts to applying 
the identity operator. If both voters make the same vote, 
then the ballot state is unchanged (up to a possible over- 
all sign inversion.) If, on the other hand, their votes are 
different, then the ballot state is transformed into 

|C 1 )=±i=(|l,0)-|0,l)) , (2) 

where the sign ± depends on who votes 'yes'. At all 
times, the voter at one site cannot determine the vote 
cast at the other site. This is because the reduced density 
operator representing the state of the particle at each site 
is always the maximally-mixed state (|0) (0| + |1) (1Q/2. 
The voting is kept strictly private to the respective vot- 
ers. 

The two-particle state is then transferred to the site 
of the tallyman who performs a measurement in the ba- 
sis (|1,0) ± |0, l))-\/2. The tallyman is able to discern 
whether the voters have made the same or opposite vote 
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even though he is unable to determine how each voter 
cast their vote. This situation is similar in some respects 
to the Deutsch- Jozsa algorithm for decidin g th e balanced 
or unbalanced nature of a binary function [28[. Also the 
single particle state in Eq. dJ) is the same state used 
in the data hiding_protocol of Verstraete and Cirac [2!| . 
Whereas in Ref. [29| a third party stores a secret in the 
state shared by Alice and Bob, here it is Alice and Bob 
who store secrets in the shared state. Our protocol satis- 
fies rules 1 and 2 of private ballots, namely each vote is is 
known only to its corresponding voter, and the tallyman 
has access only to the collective (comparative) informa- 
tion. The potential for cheating is limited by the very 
nature of the comparative ballot; voters can only make 
a single vote. The application of an operator other than 
exp(iNir) is interpreted as indecision in the sense that 
the result of repeated identical ballots is stochastic. 



The particles are prepared in the following ballot state: 



\Bo) 



= ^2\N-n,n) 



(3) 



n=0 



where |n, m) = \n) T ® \m) v and \n) v ( \n) T ) represents 
n particles localized in a spatial mode at site V (respec- 
tively T). The sites V and T are assumed to be remote 
from each other. Voters have access only to V and not 
T, whereas the tallyman has access only to T and not V. 
Voter i makes a vote by applying the phase shifting op- 
eration exp(iNvSi) to the spatial mode at site V, where 

Nv \n)y = n \ n )v an d $i — v i' n 'I {N + 1) for a vote corre- 
sponding to an amount Wj . For example, after the vote 
of the first voter the ballot state becomes: 



1 N 



(4) 



B. Anonymous survey 

In the above protocol, the voting information was 
stored in locally inaccessible phase factors in a entangled 
state. This technique can be applied to other situations 
where we wish to maintain anonymity. One such scenario 
is as follows. 

Let us suppose that the chief executive officer (CEO) 
of a firm wants to gauge the effect of a possible action; 
he surveys the opinion of his management team to find 
out what each member thinks the likely profit (or loss) 
will be. To avoid the dishonest responses due to rivalry, 
grovelling, fear of repercussions etc., the CEO wants the 
survey to be anonymous. The managers must report the 
estimated profit or loss for their particular department. 
The CEO is interested in the total for the whole com- 
pany. An alternative, but essentially equivalent, situa- 
tion is that the managers estimate the total profit or loss 
for the firm as a whole, and the CEO wants the aver- 
age of the estimates, that is, the sum of the estimates 
divided by the number of managers. In both cases the 
sum of the estimates is made public and the individual 
amounts are private. We call the protocol for determin- 
ing the sum while keeping the individual amounts secret 
an anonymous survey. 

An anonymous survey should obey the rules R1-R3. 
We now describe a quantum protocol that satisfies these 
rules. We retain the general terminology of 'voters', 
'votes' and the 'tally'. The basic principle of the protocol 
involves a two-mode discrete phase state [3(| Hl| shared 
between the voters and the tallyman. A vote is made 
by translating the phase value of the phase state. Due 
to the shared nature of the state, the actual value of the 
phase is hidden from both the voters and the tallyman 
in a manner analogous to secret sharing [29l | . 

We again use a system of identical particles in the 
second quantization formalism. We employ TV particles, 
where N is equal to or larger than the number of voters. 



The second voter makes a vote in a similar manner with 
the phase shifting angle 82 ■ This voting process is re- 
peated for all voters. The resulting ballot state after the 
?7ith voter is 



\B„ 



1 N 

=== exp(inA m ) I N - n, n) , (5) 

' 71=0 



where A m = 53i=i $i ■ The net value of the accumulated 
votes is M m = YliLi v i which can be deduced from the 
final phase angle using 



2irM m 
N+l 



(6) 



Note that at any point in this operation the tallyman, 
who does not have access to the site V, can only see the 
mixed state 

1 N 

Tr v (\B m ) (B m \) = — - £(|n) (n\) T , (7) 

71=0 

which is invariant under the phase shifting operation. 
Likewise, the voters, who do not have access to the site 
T, can only see the mixed state 



Tr T (|S m )(B m |) = 



1 



N 



N 



1 ^ 

71=0 



(|n) (n\) v 



(8) 



The voting of individual voters is therefore secret from 
other voters and the tallyman. 

At the end of the survey the particles at site V are 
translated to a mode at site T so that the ballot state 



is as in Eq. ([5]) but with |n, m) 



\n) T <S> \m) T . We 
imagine that the tallyman has access to both modes at 
site T. The states \N — n, n) form an orthonormal basis 
for an N + 1 dimensional subspace. We define another 
orthonormal basis as follows [3fJ: 



IT,, 



1 



N 



= ^2 exp(ink9) \N - k, k) 



(9) 



fc=0 
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where 9 = 2ir/(N + 1) and 

(T n \T m ) = S nm . (10) 
The ballot states are all eigenstates of the tally operator. 

N 

f=y n \T n )(T n \ . (11) 

n=0 

To find the tally, the tallyman finds the expectation value 
of the tally operator which yields: 



(12) 



The tallyman can access the tally only once he is in 
possession of all particles. The voting of individual 
voters is kept secret from both the tallyman and the 
voters while the particles are shared between the sites. 

Attack by colluding voters. Two voters, A and B, can 
collude in the following manner to deduce information 
about other voters. First we write the ballot state as 



\Bo) = 



2tt 



2tt 



\^{9))W))de, (13) 



where the single-mode phase states [30j are given by 
1 N 

\m) = ^==]>>- me |^-n}, (14) 



n=0 
N 



L= Y e me In) 

n— 



(15) 



Imagine that voter A locally measures the phase of 
the system at the voting site; this will project the 
system onto a state of the form \tjj(9')) \(j>(9')), where 
9' represents the outcome of the measurement. The 
tally M of votes of subsequent voters then accumulates 
locally in the phase of the local system, resulting in 
the state \tp(9')) \<j>(9' + MS)). Subsequent measure- 
ment of the phase by voter B and comparison with 
the phase measured by A will then reveal the amount M. 

Detection of attack. We note that the ballot state, in 
the absence of the attack, has a fixed number of particles 
N. In contrast the projection onto a phase state induces 
a distribution of particles, and so the attack alters the 
total particle number on average. Thus the attack can be 
detected by the tallyman making a measurement of the 
total particle number N and checking if it differs from TV. 
The probability of detecting the attack by this method 
is 1 — Pn where Pm = l/(iV + 1) is the probability of 
finding N particles in the state \ip{9')) \4>(9')). 

Defence. A defence against this colluding attack is to 
use a multiparty ballot state such as 



\B'\ 



1 



N 

E 

n=0 



\K(N -n),n,n,--- , n) , (16) 



where \i,j, ■ ■ ■ , k) = \i) T ® \j) Vi ® • • • \k)y K for K voting 
sites Vi , i = 1 , • • • , K where K is equal to or larger than 
the number of voters. Each voter i is assigned a unique 
voting site Vi for casting a vote as before, i.e. using the 
phase shifting operation exp(iA r y i ^) to the spatial mode 
at site Vi. The colluding attack is foiled because each vot- 
ing site is used by a single voter. The final multipartite 
ballot state is 



\BL) = 



1 N 

r j= — y exp(mA m ) \K(N - n), ra, n, • ■ ■ ,n> 

(17) 

and the corresponding multipartite tally operator is given 
by 



N 



f' = y n \T' n ){T^\ , 



(18) 



71=0 



where 

it:) = 



1 N 

== y exp(w/c6») \K(N - fc), k, k, ■ ■ ■ , k) 
+ 1 fe=0 



(19) 

After all the particles are translated to the tallyman, the 
tallyman determines the value of the tally from the ex- 
pectation (B' m \ T' \B' m ) = M m in the same manner as 
before. 



C. Anonymous binary- valued ballot 

A special case of an anonymous survey is an anony- 
mous ballot for binary-valued votes which we call an 
anonymous binary-valued ballot. A simple referendum 
would be a specific example of this kind of ballot. Here, 
instead of votes being an arbitrary integer, each vote is 
of a binary nature, 'yes' or 'no', corresponding to an an- 
swer to a public question. The anonymous survey proto- 
col above could be used for an anonymous binary-valued 
ballot provided the voters were honest and restricted 
their vote value accordingly. For example, voter k could 
choose a phase shift angle of Si = for a 'no' vote and 
St = 2n/(N+l) for a 'yes' vote. The tally M m in Eq. © 
then corresponds to the number of 'yes' votes (the num- 
ber of 'no' votes being calculated from the number of 
participating voters less M m ). There are special situa- 
tions where it is in the voters' interest to vote honestly, 
for instance, where the public ballot question is one of 
a personal nature (requiring anonymity) and where the 
voters want to know the true proportion of voting popu- 
lation sharing the same view. Of course, in general, the 
voters may be tempted to vote more than once and, for 
example, a voter may choose Sk — 47r/(iV + 1) to record 
two 'yes' votes. It is therefore important that rule R4 is 
enforced in anonymous binary- valued ballots. 

The underlying reasons why the anonymous protocol 
does not satisfy R4 are rather simple and quite general. 
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Consider two parties Alice and Bob, and the entire initial 
ballot state \B ). Let Ya and Y B be the unitary operators 
used by Alice and Bob respectively to register 'yes' votes. 
It is assumed that they would both vote 'no' by applying 
the identity operator. Any tensor product structure aris- 
ing from, e.g., Alice and Bob registering their votes on 
different systems is taken to be implicit in these defini- 
tions. Let us now consider the implications of anonymity 
and define 

n=\\(Y A -Y B )\B )\\, (20) 

where |||'0)ll = (V'lV')- Anonymity requires that for either 
a 'yes' or 'no' vote, it should be impossible to determine 
who made this vote. It therefore requires that $7 = 0. 

Let us now suppose that one of the parties, say Alice, 
wishes to cheat. She wishes to vote 'yes' twice by making 
it appear as though both she and Bob have voted 'yes', 
where Bob is some other voter who has voted 'no' (and 
in a sufficiently large ballot that such a party exists is 
a fair assumption). Suppose that Alice votes after Bob. 
Then, for Alice's cheating to go undetected, the states 
YbYa\B ) and Y^\B ) must be completely indistinguish- 
able. That this is the case under conditions of anonymity 
can be seen from 

\\{Y B Y A - rJ)|Bo>|| = \\Y B (Y A - Y B )\B )\\ = fi , (21) 

where the last step follows from the unitary invariancc 
of the norm. Under conditions of anonymity, Q = 
and so the two states are completely indistinguishable, 
concealing Alice's actions. 

We may also require that Alice can cheat undetected 
irrespective of the order in which she and Bob cast their 
votes. This will be the case if 

[Y A ,Y B ]\B ) =0 . (22) 

This condition is automatically satisfied if Alice and Bob 
register their votes on different systems, or the same op- 
erators if they use a common system, as is the case in the 
protocol we have described. 

It follows that to protect against this kind of cheating 
strategy, some of the properties of the protocol must be 
changed. The key one seems to be unitarity. It is there- 
fore interesting to explore the possibility of maintaining 
anonymity yet preventing cheating if we drop unitarity 
and use irreversible operations to register votes. We will 
now see that doing so does allow for a certain degree of 
improvement. In particular, we will see how the use of 
irreversibility can limit the extent of one party's cheating 
to a mere 0.5 votes, and only at the expense of reduced 
privacy, in contrast with the limitless extent to which 
they can cheat using unitary operations with impunity. 

The possibility of cheating can be restricted by intro- 
ducing an element of irreversibility into the voting pro- 
cedure. One way of doing this would be to restrict the 
operation able to be performed by each voter to the ap- 
propriate values by directly restricting the macroscopic 
devices used to perform the voting operations. However, 



since the restricted device is not in the total control of 
the voter (by necessity) it seems likely that evidence of 
the action taken by the voter could be traced in the lo- 
cal environment and so criterion Rl is not guaranteed 
to be satisfied. This is clearly a general problem with 
irreversible operations. 

One way to restrict the votes without macroscopic 
means is to replace the initial ballot state Eq. §5§ with 

IK) = ^=E|2(^-n),n,n) , (23) 

where \i,j, k) = \i) T ® \j) v ® \k) v and V\ and V2 label 
two voting sites which are controlled by two ballot agents 
A\ and A2, respectively. Each voter privately records 
their vote in a (separate) pair of qutrits (i.e. a pair of 
spin-1 systems) with the state (|0, —1) + |— 1,0))/V2 for 
a 'no' vote or the state (|0,1) + |l,0))/\/2 for a 'yes' 
vote. Here the qutrit states |— 1), |0) and |1) correspond 
to eigenstates of the z component of spin. One qutrit is 
given to each of the ballot agents who locally apply the 
operation 

exp[i/vW<5(! + iffW)] ® exp[iN^5(± + Jo-W)] , (24) 

where 5 = 2tt/ (N+l), is the z component of spin for 
qutrit i at site Vi , and N^> operates on the spatial mode 
in \Bq) at site Vi. This allows the votes to accumulate in 
the discrete phase angle as before and ensures that each 
voter casts a single vote. 

Attacks by ballot agents. The 2 separated ballot agents 
cannot separately learn the nature of the vote with cer- 
tainty. For example, one ballot agent may measure the z 
component of spin on the qutrit at his site. This would 
reveal the nature of the vote only half of the time. 

Defence: tamper evidence. The attack by the ballot 
agents will result in the qutrit pair being in a product 
of eigenstates of the z component of spin. Thus to de- 
tect the attack, the qutrit system should be immediately 
returned to the voter following the action by the ballot 
agents, and be subjected to measurement in a basis which 
includes the states representing 'yes' and 'no' votes to de- 
termine if the state has been changed. The attack will be 
detected one half of the time. Any instances of changed 
states are made public, and hence attempted cheating by 
a ballot agent will be detected, on average. The qutrit 
system is therefore tamper evident, on average, in this 
sense. 

Alternatively, the privacy of the vote can be increased 
by increasing the number of ballot agents and the number 
of qutrits used to store each vote. For example, in a 3- 
qutrit, 3-ballot agent scheme, the ballot state would be 

1 N 

\B%) = -== J2 W N ~ n )> n > n > n ) ■ ( 25 ) 

The votes would be made by preparing the states 
(|0,0,-1> + |0, —1,0) + |-1, 0,0))/ VS for a 'no' vote or 
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the state (|0, 0, 1) + 10, 1, 0) + 11, 0, 0))/V3 for a 'yes' vote, 
and each ballot agent Ai applies the operation 

exp[ijV«5(! + iaf))] (26) 

to their local qutrit system and the spatial mode of 
A measurement of the ^-component of spin of one 
of the qutrits by a ballot agent will now reveal the value 
of the vote only one third of the time, making the vote 
more private. 

Attacks by voters. A voter need not prepare the 
states corresponding to a 'yes' or 'no' vote. Indeed, 
he may try to maximize the value of his vote, for 
example, by preparing the qutrit pair in the cheat 
state |1,1). The action of the operator in Eq. (f24|) 
applied by the two ballot agents then increases the phase 
angle of the ballot state by 36/2, that is, by 1.5 votes [34j . 

Defence: tamper- evidence versus vote-value tradeoff. 
The attack by the voter may increase the value of the 
vote, but this is at the expense of abandoning the tamper- 
evident nature of the qutrit system. A measurement of 
the z component of spin of one of the qutrits in the cheat 
state will reveal the value of the vote without altering 
the state; this allows a ballot agent to determine the vote 
without being detected. Hence, a voter may cheat by a 
half vote but only at the expense of losing the privacy of 
his vote. 



IV. DISCUSSION 

We have introduced quantum protocols for ensuring 
the anonymous voting in a number of different scenarios. 
Central to the protocols is the ballot state, which is an 
entangled state shared between at least two sites. The 
ballot state stores the tally of the votes which are reg- 
istered using local operations. At all times the value of 
the vote tally stored in the ballot state is not available 
at any one site, but only in the collection of the sites. 
The ballot therefore represents a distributed memory and 
this property ensures the privacy of each vote and thus 
the anonymity of each voter. After all votes have been 
made, the vote tally can be determined by a collective 
measurement. 

We identified 4 rules (R1-R4) which lead to desirable 
properties of anonymous ballots. The different kinds of 
ballot depend on the ballot question, the collective infor- 
mation required and the subset of rules. We described 
protocols for a comparative ballot, where the 'yes' or 
'no' answers of two voters are compared, an anonymous 
survey, where the voters make anonymous votes of inte- 
ger value, and an anonymous binary- valued ballot, where 
the 'yes' and 'no' answers to a ballot question are tallied 



anonymously. We note that an anonymous binary- valued 
ballot is closely related to an election, and indeed, it cor- 
responds to an election for the special case of two candi- 
dates. We are currently exploring other possibilities. 

We have analyzed our protocols against a number of 
attacks. In particular, we found that for the anonymous 
binary- valued ballot the cheating by a voter is associated 
with reduced security. In one variant of the protocol, 
while the value of the vote of an honest voter is 1, a 
dishonest voter can make a vote of value equal to 1.5 and 
essentially cheat by 0.5 vote. However, this occurs at the 
cost of reduced privacy since the tamper- evident nature of 
the protocol, which allows the voter to detect an attack 
by a ballot agent, is only available if an honest vote is 
made. The various schemes are unconditionally secure 
on average in the sense that attacks can be detected with 
non-zero probability. 

For comparison, we note that Chaum's classical secret 
ballot protocol is also unconditionally secure [26J]. The 
secrecy is protected through the use of one-time pads 
which are shared between all pairs of voters. In a ballot 
with N voters, this requires each voter to distribute N— 1 
one time pads with the other voters. Thus the computa- 
tional complexity of the protocol from the perspective of 
a voter is of order N. In contract, in our quantum vot- 
ing scheme each voter needs to share a single multiparty 
entangled state with the tallyman. For example the tal- 
lyman could locally prepare a set of spatial modes in the 
ballot state and then teleport the states of the entangled 
modes to each corresponding voter. The computational 
complexity from the perspective of a voter is therefore of 
order unity, which is an iV-fold reduction. 

We also found a related property [34[ for our anony- 
mous binary-valued ballot protocol as follows: as the pro- 
tocol is modified to increase the privacy of the vote, the 
restriction on the possible values of an individual vote 
weakens. This appears to be a general trade-off property 
and we are currently exploring it in more detail. Indeed 
our results represent an initial study of this topic and are 
not intended to be complete. We hope our results will 
stimulate further research into this area. 
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and the bound on the vote. We have already shown that 
in the 2-qutrit, 2-ballot agent scheme, the value of an 
honest vote can be revealed by an a ballot-agent attack 
in 1/2 of the attacks, and the voter can cheat by prepar- 
ing the state jl, 1} which results in a vote of value 2. In 
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